Information generation apparatus, method, program, and recording medium for deriving a decryption key from another decryption key

ABSTRACT

Hierarchical cryptography expressed in a general semiordered structure other than a tree structure is implemented. In information generation, random numbers σ v  and (σ vj ) jεw(v) εZ q  are generated; main information k v =σ v Σ iε{1, . . . , N-1}\w(v) v i b i *+b N * is calculated; and derivation information k vj =σ vj Σ iε{1, . . . , N-1}\w(v) v i b i *+b j * is calculated for each jεw(v). In information derivation, random numbers σ u  and (σ uj ) jεw(u) εZ q  are generated; main information k u =σ u Σ iεw(v)\w(u) u i k vi +k v  is calculated; and derivation information k uj =σ uj Σ iεw(v)\w(u) u i k vi +k vj  is calculated for each jεw(v).

TECHNICAL FIELD

The present invention relates to an application of information security technology. For example, the present invention relates to hierarchical cryptography in which a decryption key having a limited decryption ability can be derived from another decryption key.

BACKGROUND ART

The technology described in Non-patent literature 1 is a known conventional technology for hierarchical cryptography.

PRIOR ART LITERATURE Non-Patent Literature

-   Non-patent literature 1: Craig Gentry, Alice Siverberg,     “Hierarchical ID-Based Cryptography,” ASIACRYPT 2002, pp. 548-566

DISCLOSURE OF THE INVENTION Problems to be Solved by the Invention

In the technology described in Non-patent literature 1, a key corresponding to a child node in a tree structure can be derived from a key corresponding to a parent node, but key derivation cannot be implemented in a general semiordered structure s other than a tree structure. For example, in a structure having a parent node A, a parent node B, and a common child node C, it is not possible to derive a key of the common child node C from a key of the parent node A or to derive a key of the common child node C from a key of the parent node B.

Means to Solve the Problems

To solve the foregoing problem, an information generation apparatus according to Claim 1 includes a random number generator adapted to generate a random number σ_(Y)εZ_(q) and a random number σ_(Yj)εZ_(q) corresponding to each element jεw(Y) of a set w(Y); a main information generator adapted to use the generated random number σ_(Y) to calculate main information k_(Y) that satisfies k_(Y)=σ_(Y)Σ_(iε{1, . . . , N-1}\w(Y))Y_(i)b_(i)*+b_(N)*; and a derivation information generator adapted to use the generated random number σ_(Yj) to calculate derivation information k_(Yj) that satisfies k_(Yj)=σ_(Yj)Σ_(eε{1, . . . , N-1}\w(Y))Y_(i)b_(i)*+b_(j)* for each element jεw(Y) of the set w(Y); where e is a non-degenerate, bilinear function that outputs one element of a cyclic group G_(T) in response to inputs of N elements γ_(L) (L=1, . . . , N) (N≧2) of a cyclic group G₁ and N elements γ_(L)*(L=1, . . . , N) of a cyclic group G₂; b_(i)εG₁ ^(N) (i=1, . . . , N) is an N-dimensional basis vector having N elements of the cyclic group G₁ as elements; b_(j)*εG₂ ^(N) (j=1, . . . , N) is an N-dimensional basis vector having N elements of the cyclic group G₂ as elements; a function value obtained when each element of the basis vector b_(i)εG₁ ^(N) (i=1, . . . , N) and each element of the basis vector b_(j)*εG₂ ^(N) (j=1, . . . , N) are put into the bilinear function e is represented by g_(T) ^(τ·δ(i,j))εG_(T), using a Kronecker's delta function in which δ(i,j)=1_(F) when i=j and δ(i,j)=0_(F) when i≠j; 0_(F) is an additive unit element of a finite field F_(q); 1_(F) is a multiplicative unit element of the finite field F_(q); τ is an element of the finite field F_(q), other than 0_(F); and g_(T) is a generator of the cyclic group G_(T); * indicates an indeterminate character; an index Y is Y=(Y₁, . . . , Y_(N-1))εI=(F_(q)∪{*})^(N-1); and the set w(Y) corresponds to the index Y, and w(Y)={i|Y₁=*}.

An information generation apparatus according to Claim 4 includes a storage unit adapted to store main information k_(v) serving as main information k_(Y) or corresponding to an index v, derived from the main information k_(Y) and derivation information k_(Yj), and derivation information k_(vj) serving as the derivation information k_(Yj) or corresponding to the index v, derived from the derivation information k_(Yj); a child random number generator adapted to generate a random number σ_(u)εZ_(q); and a main information deriving unit adapted to use the main information k_(v) and derivation information k_(vi), both of which are read from the storage unit, and the generated random number σ_(u) to calculate main information k_(u) corresponding to an index u, which satisfies k_(u)=σ_(u)Σ_(iεw(v)\w(u))u_(i)k_(vi)+k_(v); where e is a non-degenerate, bilinear function that outputs one element of a cyclic group G_(T) in response to inputs of N elements γ_(L) (L=1, . . . , N) (N≧2) of a cyclic group G₁ and N elements γ_(L)* (L=1, . . . , N) of a cyclic group G₂; b_(i)εG₁ ^(N) (i=1, . . . , N) is an N-dimensional basis vector having N elements of the cyclic group G₁ as elements; b_(j)*εG₂ ^(N) (j=1, . . . , N) is an N-dimensional basis vector having N elements of the cyclic group G₂ as elements; a function value obtained when each element of the basis vector b_(i)εG₁ ^(N) (i=1, . . . , N) and each element of the basis vector b_(j)*εG₂ ^(N) (j=1, . . . , N) are put into the bilinear function e is represented by g_(T) ^(τ·δ(i,j))εG_(T), using a Kronecker's delta function in which δ(i, j)=1_(F) when i=j and δ(i, j)=0_(F) when i≠j; 0_(F) is an additive unit element of a finite field F_(q); 1_(F) is a multiplicative unit element of the finite field F_(q); τ is an element of the finite field F_(q), other than 0_(F); and g_(T) is a generator of the cyclic group G_(T); * indicates an indeterminate character; an index Y is Y=(Y₁, . . . , Y_(N-1))εI=(F_(q)∪{*})^(N-1); a set w(Y) corresponding to the index Y is w(Y)={i|Y_(i)=*}; σ_(Y)εZ_(q) is a random number; σ_(Yi)εZ_(q) is a random number corresponding to each element jεw(Y) of the set w(Y); the main information k_(Y) corresponds to the index Y and satisfies k_(Y)=σ_(Y)Σ_(iε{1, . . . , N-1}\w(Y))Y_(i)b_(i)*+b_(N)*; the derivation information k_(Yj) corresponds to the index Y and satisfies k_(Yj)=σ_(Yj)Σ_(iε{1, . . . , N-1}\w(Y))Y_(i)b_(i)*+b_(j)*; * indicates an indeterminate character; the index v is v=(v₁, . . . , v_(N-1))εI=(F_(q)∪{*})^(N-1); the index u is u=(u₁, . . . , u_(N-1))εI=(F_(q)∪{*})^(N-1); w(v) is a set corresponding to the index v and w(v)={i|v_(i)=*}; w(u) is a set corresponding to the index u and w(u)={i|u_(i)=*}; w(u)⊂w(v); and v_(i)=u_(i)(iε{1, . . . , N−1}\w(v)).

An information generation apparatus according to Claim 6 includes a random number generator adapted to generate a random number r_(Y)εZ_(q); a first main information generator adapted to use the generated random number r_(Y) to calculate first main information k_(Y) that satisfies k_(Y)=g₂ ^(a)(g₃Π_(iε{1, . . . , N-1}\w(Y))h_(i) ^(Yi))^(rY); a second main information generator adapted to use the generated random number r_(Y) to calculate second main information g^(rY); and a derivation information generator adapted to use the generated random number r_(Y) to calculate derivation information k_(Yj) that satisfies k_(Yj)=h_(j) ^(rY) for each element jεw(Y) of a set w(Y); where G and G_(T) are cyclic groups having a prime number order q; g is a generator of the cyclic group G; the cyclic group G has a pairing function e: G×G→G_(T), which makes g_(T)=e(g, g) a generator of the cyclic group G_(T); a is a random number selected at random from Z_(p); g, g₁=g^(a)εG, and g₂, g₃, h₁, . . . , h_(N-1)εG randomly selected from the cyclic group G are made publicly available as public keys; * indicates an indeterminate character; an index Y is Y=(Y₁, . . . , Y_(N-1))εI=(F_(q)∪{*})^(N-1); the set w(Y) corresponds to the index Y; and w(Y)={i|Y_(i)=*}.

An information generation apparatus according to Claim 9 includes a random number generator adapted to generate a random number r_(u)εZ_(q); a storage unit adapted to store main information k_(v) serving as main information K_(Y) or corresponding to an index v, derived from first main information k_(Y) and derivation information k_(Yj), and derivation information k_(vj) serving as derivation information k_(Yj) or corresponding to the index v, derived from the derivation information k_(Yj); a first main information deriving unit adapted to use the first main information k_(v) and derivation information k_(vi), both of which are read from the storage unit, to calculate first main information k_(u) corresponding to an index u, which satisfies k_(u)=k_(v)(Π_(iεw(v)\w(u))k_(vi) ^(ui)) (g₃Π_(iε{1, . . . , N-1}\w(v))h_(i) ^(vi)Π_(iεw(v)\w(u))h_(i) ^(ui))^(ru); and a second main information deriving unit adapted to use the generated random number r_(u) to calculate second main information g^(ru); where G and G_(T) are cyclic groups having a prime number order q; g is a generator of the cyclic group G; the cyclic group G has a pairing function e: G×G→G_(T), which makes g_(T)=e(g, g) a generator of the cyclic group G_(T); a is a random number selected at random from Z_(p); g, g₁=g^(a)εG, and g₂, g₃, h₁, . . . , h_(N-1)εG randomly selected from the cyclic group G are made publicly available as public keys; * indicates an indeterminate character; an index Y is Y=(Y₁, . . . , Y_(N-1))εI=(F_(q)∪{*})^(N-1); a set w(Y) corresponding to the index Y is w(Y)={i|Y_(i)=*}; r_(Y)εZ_(q) is a random number; the first main information k_(Y) corresponds to the index Y and satisfies k_(Y)=g₂ ^(a) (g₃Π_(iε{1, . . . , N-1}\w(Y))h_(i) ^(Yi))^(rY); g^(rY) is second main information corresponding to the index Y; the derivation information k_(Yj) corresponds to the index Y and satisfies k_(Yj)=h_(j) ^(rY); * indicates an indeterminate character; the index v is v=(v₁, . . . , v_(N-1))εI=(F_(q)∪{*})^(N-1); w(v) is a set corresponding to the index v and w(v)={i|v_(i)=*}; the index u is u=(u₁, . . . , u_(N-1))εI=(F_(q)∪{*})^(N-1); w(u) is a set corresponding to the index u and w(u)={i|u_(i)=*}; set w(u)⊂set w(v); and v_(i)=u_(i)(iε{1, . . . , N−1}\w(v)).

Effects of the Invention

In a structure having a parent node A, a parent node B, and a common child node C, it is possible to derive information of the common child node C from information of the parent node A and to derive information of the common child node C from information of the parent node B.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is an example functional block diagram of an information generation apparatus according to a first embodiment;

FIG. 2 is an example flowchart of information generation in the first embodiment;

FIG. 3 is an example flowchart of information derivation in the first embodiment;

FIG. 4 is an example functional block diagram of an information generation apparatus according to a second embodiment;

FIG. 5 is an example flowchart of information generation in the second embodiment; and

FIG. 6 is an example flowchart of information derivation in the second embodiment.

DETAILED DESCRIPTION OF THE EMBODIMENTS

Embodiments of the present invention will be described below in detail.

Predicate Encryption

An overview of predicate encryption, which is a concept used in a first embodiment, will be described first.

DEFINITIONS

Terms and symbols to be used in the embodiments will be defined first.

Matrix: A matrix represents a rectangular arrangement of elements of a set in which an operation is defined. Not only elements of a ring but also elements of a group can form the matrix.

(•)^(T): Transposed matrix of “•”

(•)⁻¹: Inverse matrix of “•”

Logical AND

Logical OR

Z: Set of integers

k: Security parameter (kεZ, k>0)

{0, 1}*: Binary sequence having a desired bit length. An example is a sequence formed of integers 0 and 1. However, {0, 1}* is not limited to sequences formed of integers 0 and 1. {0, 1}* is a finite field of order 2 or its extention field.

{0, 1}^(ζ): Binary sequence having a bit length ζ (ζεZ, ζ>0). An example is a sequence formed of integers 0 and 1. However, {0, 1}^(ζ) is not limited to sequences formed of integers 0 and 1. {0, 1}^(ζ) is a finite field of order 2 (when ζ=1) or an extention field obtained by extending the finite field by degree ζ (when ζ>1).

(+): Exclusive OR operator between binary sequences. For example, the following is satisfied: 10110011(+)11100001=01010010.

F_(q): Finite field of order q, where q is an integer equal to or larger than 1. For example, the order q is a prime number of a power of a prime number. In other words, the finite field F_(q) is a prime field or an extention field of the prime field, for example. When the finite field F_(q) is a prime field, remainder calculations to modulus q can be easily performed, for example. When the finite field F_(q) is an extention field, remainder calculations modulo an irreducible polynomial can be easily performed, for example. A specific method for configuring a finite field F_(q) is disclosed, for example, in reference literature 1, “ISO/IEC 18033-2: Information technology—Security techniques—Encryption algorithms—Part 2: Asymmetric ciphers”.

0_(F): Additive unit element of the finite field F_(q)

1_(F): Multiplicative unit element of the finite field F_(q)

δ(i, j): Kronecker's delta function. When i=j, δ(i, j)=1_(F).

When i≠j, δ(i, j)=0_(F).

E: Elliptic curve defined on the finite field F_(q). It is defined as a special point O called the point of infinity plus a set of points (x, y) satisfying x, yεF_(q) and the Weierstrass equation in an affine coordinate system y ² +a ₁ xy+a ₃ y=x ³ +a ₂ x ² +a ₄ x+a ₆  (1) where a₁, a₂, a₃, a₄, a₆εF_(q). A binary operation + called an elliptic addition can be defined for any two points on the elliptic curve E, and a unary operation − called an elliptic inverse can be defined for any one point on the elliptic curve E. It is well known that a finite set of rational points on the elliptic curve E forms a group with respect to the elliptic addition. It is also well known that an operation called an elliptic scalar multiplication can be defined with the elliptic addition. A specific operation method of elliptic operations such as the elliptic addition on a computer is also well known. (For example, see reference literature 1, reference literature 2, “RFC 5091: Identity-Based Cryptography Standard (IBCS) #1: Supersingular Curve Implementations of the BF and BB1 Cryptosystems”, and reference literature 3, Ian F. Blake, Gadiel Seroussi, and Nigel P. Smart, “Elliptic Curves in Cryptography”, Pearson Education, ISBN 4-89471-431-0.)

A finite set of rational points on the elliptic curve E has a subgroup of order p (p≧1). When the number of elements in a finite set of rational points on the elliptic curve E is #E and p is a large prime number that can divide #E without a remainder, for example, a finite set E[p] of p equally divided points on the elliptic curve E forms a subgroup of the finite set of rational points on the elliptic curve E. The p equally divided points on the elliptic curve E are points A on the elliptic curve E which satisfy the elliptic scalar multiplication pA=O.

G₁, G₂, G_(T): Cyclic groups of order q. Examples of the cyclic groups G₁ and G₂ include the finite set E[p] of p equally divided points on the elliptic curve E and subgroups thereof. G₁ may equal G₂, or G₁ may not equal G₂. Examples of the cyclic group G_(T) include a finite set constituting an extention field of the finite field F_(q). A specific example thereof is a finite set of the p-th root of 1 in the algebraic closure of the finite field F_(q).

In the embodiments, operations defined on the cyclic groups G₁ and G₂ are expressed as additions, and an operation defined on the cyclic group G_(T) is expressed as a multiplication. More specifically, χ·ΩεG₁ for χεF_(q) and ΩεG₁ means that the operation defined in the cyclic group G₁ is applied to ΩεG₁χ times, and Ω₁+Ω₂εG₁ for Ω₁, Ω₂εG₁ means that the operation defined in the cyclic group G₁ is applied to Ω₁εG₁ and Ω₂εG₁. In the same way, χ·ΩεG₂ for χεF_(q) and ΩεG₂ means that the operation defined in the cyclic group G₂ is applied to ΩεG₂, times, and Ω₁+Ω₂εG₂ for Ω₁, Ω₂εG₂ means that the operation defined in the cyclic group G₂ is applied to Ω₁εG₂ and Ω₂εG₂. In contrast, Ω^(χ)εG_(T) for χεF_(q) and ΩεG_(T) means that the operation defined in the cyclic group G_(T) is applied to ΩεG_(T)χ times, and Ω₁·Ω₂εG_(T) for Ω₁, Ω₂εG_(T) means that the operation defined in the cyclic group G_(T) is applied to Ω₁εG_(T) and Ω₂εG_(T).

G₁ ^(n+1): Direct product of (n+1) cyclic groups G₁(n≧1)

G₂ ^(n+1): Direct product of (n+1) cyclic groups G₂

g₁, g₂, g_(T): Generators of the cyclic groups G₁, G₂, G_(T)

V: (n+1)-dimensional vector space formed of the direct product of the (n+1) cyclic groups G₁

V*: (n+1)-dimensional vector space formed of the direct product of the (n+1) cyclic groups G₂

e: Function (bilinear function) for calculating a non-degenerate bilinear map that maps the direct product G₁ ^(n+1)×G₂ ^(n+1) of the direct product G₁ ^(n+1) and the direct product G₂ ^(n+1) to the cyclic group G_(T). The bilinear function e receives (n+1) elements γ_(L) (L=1, . . . , n+1) (n≧1) of the cyclic group G₁ and (n+1) elements γ_(L)*(L=1, . . . , n+1) of the cyclic group G₂ and outputs one element of the cyclic group G_(T). e:G ₁ ^(n+1) ×G ₂ ^(n+1) →G _(T)  (2)

The bilinear function e satisfies the following characteristics:

Bilinearity: The following relationship is satisfied for all Γ₁εG₁ ^(n+1), Γ₂εG₂ ^(n+1), and ν, κεF_(q) e(ν·Γ₁,κ·Γ₂)=e(Γ₁,Γ₂)^(ν·κ)  (3)

Non-degeneracy: This function does not map all Γ₁ εG ₁ ^(n+1),Γ₂ εG ₂ ^(n+1)  (4) onto the unit element of the cyclic group G_(T).

Computability: There exists an algorithm for efficiently calculating e(Γ₁, Γ₂) for all Γ₁εG₁ ^(n+1), Γ₂εG₂ ^(n+1).

In the embodiments, the following function for calculating a non-degenerate bilinear map that maps the direct product G₁×G₂ of the cyclic group G₁ and the cyclic group G₂ to the cyclic group G_(T) constitutes the bilinear function e. Pair: G ₁ ×G ₂ →G _(T)  (5) The bilinear function e receives an (n+1)-dimensional vector (γ₁, . . . , γ_(n+1)) formed of (n+1) elements γ_(L) (L=1, . . . , n+1) of the cyclic group G₁ and an (n+1)-dimensional vector (γ₁*, . . . , γ_(n+1)*) formed of (n+1) elements γ_(L)* (L=1, . . . , n+1) of the cyclic group G₂ and outputs one element of the cyclic group G_(T). e=Π _(L=1) ^(n+1)Pair(γ_(L),γ_(L)*)  (6)

The bilinear function Pair receives one element of the cyclic group G₁ and one element of the cyclic group G₂ and outputs one element of the cyclic group G_(T), and satisfies the following characteristics:

Bilinearity: The following relationship is satisfied for all Ω₁e G₁, Ω₂εG₂, and ν, κεF_(q) Pair(ν·Ω₁,κ·Ω₂)=Pair(Ω₁,Ω₂)^(ν·κ)  (7)

Non-degeneracy: This function does not map all Ω₁ εG ₁, Ω₂ εG ₂  (8) onto the unit element of the cyclic group G_(T).

Computability: There exists an algorithm for efficiently calculating Pair(Ω₁, Ω₂) for all Ω₁εG₁, Ω₂εG₂.

A specific example of the bilinear function Pair is a function for performing a pairing operation such as Weil pairing or Tate pairing. (See reference literature 4, Alfred. J. Menezes, “Elliptic Curve Public Key Cryptosystems”, Kluwer Academic Publishers, ISBN 0-7923-9368-6, pp. 61-81, for example.) A modified pairing function e(Ω₁, phi(Ω₂)) (Ω₁εG₁, Ω₂εG₂) obtained by combining a function for performing a pairing operation, such as Tate pairing, and a predetermined function phi according to the type of the elliptic curve E may be used as the bilinear function Pair (see reference literature 2, for example). As the algorithm for performing a pairing operation on a computer, the Miller algorithm (see reference literature 5, V. S. Miller, “Short Programs for Functions on Curves”, 1986, http://crypto.stanford.edu/miller/miller.pdf) or some other known algorithm can be used. Methods for configuring a cyclic group and an elliptic curve used to efficiently perform a pairing operation have been known. (For example, see reference literature 2; reference literature 6, A. Miyaji, M. Nakabayashi, and S. Takano, “New Explicit Conditions of Elliptic Curve Traces for FR Reduction”, IEICE Trans. Fundamentals, Vol. E84-A, No. 5, pp. 1234-1243, May 2001; reference literature 7, P. S. L. M. Barreto, B. Lynn, M. Scott, “Constructing Elliptic Curves with Prescribed Embedding Degrees”, Proc. SCN '2002, LNCS 2576, pp. 257-267, Springer-Verlag. 2003; and reference literature 8, R. Dupont, A. Enge, F. Morain, “Building Curves with Arbitrary Small MOV Degree over Finite Prime Fields”, http://eprint.iacr.org/2002/094/).

a_(i) (i=1, . . . , n+1): (n+1)-dimensional basis vectors having (n+1) elements of the cyclic group G₁ as elements. An example of the basis vectors a_(i) is an (n+1)-dimensional basis vector having κ₁·g₁εG₁ as an i-dimensional element and the unit element (expressed as “0” in additive expression) of the cyclic group G₁ as the remaining n elements. In that case, the elements of the (n+1)-dimensional basis vectors a_(i) (i=1, . . . , n+1) can be listed as follows:

$\begin{matrix} {{a_{1} = \left( {{\kappa_{1} \cdot g_{1}},0,0,\ldots\mspace{14mu},0} \right)}{a_{2} = \left( {0,{\kappa_{1} \cdot g_{1}},0,\ldots\mspace{14mu},0} \right)}\ldots{a_{n + 1} = \left( {0,0,0,\ldots\mspace{14mu},{\kappa_{1} \cdot g_{1}}} \right)}} & (9) \end{matrix}$

Here, κ₁ is a constant formed of an element of the finite field F_(q) other than the additive unit element 0_(F). An example of κ₁εF_(q) is κ₁=1_(F). The basis vectors a_(i) are orthogonal bases. Each (n+1)-dimensional vector having (n+1) elements of the cyclic group G₁ as elements is expressed by a linear sum of (n+1)-dimensional basis vectors a_(i) (i=1, . . . , n+1). Therefore, the (n+1)-dimensional basis vectors a_(i) span the vector space V, described earlier.

a_(i)* (i=1, . . . , n+1): (n+1)-dimensional basis vectors having (n+1) elements of the cyclic group G₂ as elements. An example of the basis vectors a_(i)* is an (n+1)-dimensional basis vector having κ₂·g₂εG₂ as an i-dimensional element and the unit element (expressed as “0” in additive expression) of the cyclic group G₂ as the remaining n elements. In that case, the elements of the (n+1)-dimensional basis vectors a_(i)* (i=1, . . . , n+1) can be listed as follows:

$\begin{matrix} {{a_{1}^{*} = \left( {{\kappa_{2} \cdot g_{2}},0,0,\ldots\mspace{14mu},0} \right)}{a_{2}^{*} = \left( {0,{\kappa_{2} \cdot g_{2}},0,\ldots\mspace{14mu},0} \right)}\ldots{a_{n + 1}^{*} = \left( {0,0,0,\ldots\mspace{14mu},{\kappa_{2} \cdot g_{2}}} \right)}} & (10) \end{matrix}$

Here, κ₂ is a constant formed of an element of the finite field F_(q) other than the additive unit element 0_(F). An example of κ₂εF_(q) is κ₂=1_(F). The basis vectors a_(i)* are orthogonal bases. Each (n+1)-dimensional vector having (n+1) elements of the cyclic group G₂ as elements is expressed by a linear sum of (n+1)-dimensional basis vectors a_(i)* (i=1, . . . , n+1). Therefore, the (n+1)-dimensional basis vectors a_(i)* span the vector space V*, described earlier.

The basis vectors a_(i) and the basis vectors a_(i)* satisfy the following expression for an element τ=κ₁·κ₂ of the finite field F_(q) other than 0_(F): e(a _(i) ,a _(j)*)=g _(T) ^(τδ(i,j))  (11) When i=j, the following expression is satisfied from Expressions (6) and (7).

$\begin{matrix} {{e\left( {a_{i},a_{j}^{*}} \right)} = {{{Pair}\left( {{\kappa_{1} \cdot g_{1}},{\kappa_{2} \cdot g_{2}}} \right)} \cdot {{Pair}\left( {0,0} \right)} \cdot \ldots \cdot {{Pair}\left( {0,0} \right)}}} \\ {= {{{Pair}\left( {g_{1},g_{2}} \right)}^{\kappa\; 1\kappa\; 2} \cdot {{Pair}\left( {g_{1},g_{2}} \right)}^{0 \cdot 0} \cdot \ldots \cdot {{Pair}\left( {g_{1},g_{2}} \right)}^{0 \cdot 0}}} \\ {= {{{Pair}\left( {g_{1},g_{2}} \right)}^{\kappa\; 1\kappa\; 2} = g_{T}^{\tau}}} \end{matrix}$ When i≠j, e(a_(i), a_(j)*) does not include Pair(κ₁·g₁, κ₂·g₂) and is the product of Pair (κ₁·g₁, 0), Pair (0, κ₂·g₂), and Pair(0, 0). In addition, the following expression is satisfied from Expression (7). Pair(g ₁,0)=Pair(0,g ₂)=Pair(g ₁ ,g ₂)⁰ Therefore, when i≠j, the following expression is satisfied. e(a _(i) ,a _(j)*)=e(g ₁ , g ₂)⁰ =g _(T) ⁰

Especially when τ=κ₁·κ₂=1_(F) (for example, κ₁=κ₂=1_(F)), the following expression is satisfied. e(a _(i) ,a _(j)*)=g _(T) ^(δ(i,j))  (12) Here, g_(T) ⁰=1 is the unit element of the cyclic group G_(T), and g_(T) ¹=g_(T) is a generator of the cyclic group G_(T). In that case, the basis vectors a_(i) and the basis vectors a_(i)* are dual normal orthogonal bases, and the vector space V and the vector space V* are a dual vector space that constitutes bilinear mapping (dual pairing vector space (DPVS)).

A: An (n+1) row by (n+1) column matrix having the basis vectors a_(i) (i=1, . . . , n+1) as elements. When the basis vectors a_(i) (i=1, . . . , n+1) are expressed by Expression (9), for example, the matrix A is as follows:

$\begin{matrix} {A = {\begin{pmatrix} a_{1} \\ a_{2} \\ \vdots \\ a_{n + 1} \end{pmatrix} = \begin{pmatrix} {\kappa_{1} \cdot g_{1}} & 0 & \ldots & 0 \\ 0 & {\kappa_{1} \cdot g_{1}} & \; & \vdots \\ \vdots & \; & \ddots & 0 \\ 0 & \ldots & 0 & {\kappa_{1} \cdot g_{1}} \end{pmatrix}}} & (13) \end{matrix}$

A*: An (n+1) row by (n+1) column matrix having the basis vectors a_(i)* (i=1, . . . , n+1) as elements. When the basis vectors a_(i)* (i=1, . . . , n+1) are expressed by Expression (10), for example, the matrix A* is as follows:

$\begin{matrix} {A^{*} = {\begin{pmatrix} {a_{1}^{*}\;} \\ a_{2}^{*} \\ \vdots \\ a_{n + 1}^{*} \end{pmatrix} = \begin{pmatrix} {\kappa_{2} \cdot g_{1}} & 0 & \ldots & 0 \\ 0 & {\kappa_{2} \cdot g_{2}} & \; & \vdots \\ \vdots & \; & \ddots & 0 \\ 0 & \ldots & 0 & {\kappa_{2} \cdot g_{2}} \end{pmatrix}}} & (14) \end{matrix}$

X: An (n+1) row by (n+1) column matrix having elements of the finite field F_(q) as elements. The matrix X is used to apply coordinate conversion to the basis vectors a_(i). When the element located at the i-th row and the j-th column in the matrix X is expressed as χ_(i,j)εFq, the matrix X is as follows:

$\begin{matrix} {X = \begin{pmatrix} \chi_{1,1} & \chi_{1,2} & \ldots & \chi_{1,{n + 1}} \\ \chi_{{2,1}\;} & \chi_{2,2} & \; & \vdots \\ \vdots & \; & \ddots & \vdots \\ \chi_{{n + 1},1} & \chi_{{n + 1},2} & \ldots & \chi_{{n + 1},{n + 1}} \end{pmatrix}} & (15) \end{matrix}$

Here, each element χ_(ij) of the matrix X is called a conversion coefficient.

X*: Transposed matrix of the inverse matrix of the matrix X. X*=(X⁻¹)^(T). The matrix X* is used to apply coordinate conversion to the basis vectors a_(i)*. When the element located at the i-th row and the j-th column in the matrix X* is expressed as χ_(i,j)*εFq, the matrix X* is as follows:

$\begin{matrix} {X^{*} = \begin{pmatrix} \chi_{1,1}^{*} & \chi_{1,2}^{*} & \ldots & \chi_{1,{n + 1}}^{*} \\ \chi_{2,1}^{*} & \chi_{2,2}^{*} & \; & \vdots \\ \vdots & \; & \ddots & \vdots \\ \chi_{{n + 1},1}^{*} & \chi_{{n + 1},2}^{*} & \ldots & \chi_{{n + 1},{n + 1}}^{*} \end{pmatrix}} & (16) \end{matrix}$

Here, each element χ_(i,j)* of the matrix X* is called a conversion coefficient.

In that case, when an (n+1) row by (n+1) column unit matrix is called I, X·(X*)^(T)=I. In other words, for the unit matrix shown below,

$\begin{matrix} {I = \begin{pmatrix} 1_{F} & 0_{F} & \ldots & 0_{F} \\ 0_{F} & 1_{F} & \; & \vdots \\ \vdots & \; & \ddots & 0_{F} \\ 0_{F} & 0_{F} & \ldots & 1_{F} \end{pmatrix}} & (17) \end{matrix}$ the following expression is satisfied.

$\begin{matrix} {{\begin{pmatrix} \chi_{1,1} & \chi_{1,2} & \ldots & \chi_{1,{n + 1}} \\ \chi_{2,1} & \chi_{2,2} & \; & \vdots \\ \vdots & \; & \ddots & \vdots \\ \chi_{{n + 1},1} & \chi_{{n + 1},2} & \ldots & \chi_{{n + 1},{n + 1}} \end{pmatrix} \cdot \begin{pmatrix} \chi_{1,1}^{*} & \chi_{2,1}^{*} & \ldots & \chi_{{n + 1},1}^{*} \\ \chi_{1,2}^{*} & \chi_{2,2}^{*} & \; & \vdots \\ \vdots & \; & \ddots & \vdots \\ \chi_{1,{n + 1}}^{*} & \chi_{2,{n + 1}}^{*} & \ldots & \chi_{{n + 1},{n + 1}}^{*} \end{pmatrix}} = \begin{pmatrix} 1_{F} & 0_{F} & \ldots & 0_{F} \\ 0_{F} & 1_{F} & \; & \vdots \\ \vdots & \; & \ddots & 0_{F} \\ 0_{F} & 0_{F} & \ldots & 1_{F} \end{pmatrix}} & (18) \end{matrix}$

Here, (n+1)-dimensional vectors will be defined below. χ_(i) ^(→)=(χ_(i,1), . . . , χ_(i,n+1))  (19) χ_(j) ^(→)=(χ_(j,1)*, . . . , χ_(j,n+1)*)  (20) The inner product of the (n+1)-dimensional vectors χ_(i) ^(→) and χ_(j) ^(→)* satisfies the following expression from Expression (18). χ_(i) ^(→)·χ_(j) ^(→)*=δ(i,j)  (21)

b_(i): (n+1)-dimensional basis vectors having (n+1) elements of the cyclic group G₁ as elements. The basis vectors b_(i) are obtained by applying coordinate conversion to the basis vectors a_(i) (i=1, . . . , n+1) by using the matrix X. Specifically, the basis vectors b_(i) are obtained by the following calculation b _(i)=Σ_(j=1) ^(n+1)χ_(i,j) ·a _(j)  (22) When the basis vectors a_(j) (j=1, . . . , n+1) are expressed by Expression (9), each element of the basis vectors b_(i) is shown below. b _(i)=(χ_(i,1)·κ₁ ·g ₁,χ_(i,2)·κ₁ ·g ₁, . . . ,χ_(i,n+1)·κ₁ ·g ₁)  (23)

Each (n+1)-dimensional vector having (n+1) elements of the cyclic group G₁ as elements is expressed by a linear sum of (n+1)-dimensional basis vectors b_(i) (i=1, . . . , n+1). Therefore, the (n+1)-dimensional basis vectors b_(i) span the vector space V, described earlier.

b_(i)*: (n+1)-dimensional basis vectors having (n+1) elements of the cyclic group G₂ as elements. The basis vectors b_(i)* are obtained by applying coordinate conversion to the basis vectors a_(i)* (i=1, . . . , n+1) by using the matrix X*. Specifically, the basis vectors b_(i)* are obtained by the following calculation b _(i)*=Σ_(j=1) ^(n+1)χ_(i,j) *·a _(j)*  (24) When the basis vectors a_(j) (j=1, . . . , n+1) are expressed by Expression (10), each element of the basis vectors b_(i)* are shown below. b _(i)*=(χ_(i,1)*·κ₂ ·g ₂,χ_(i,2)*·κ₂ ·g ₂, . . . , χ_(i,n+1)*·κ₂ ·g ₂)  (25)

Each (n+1)-dimensional vector having (n+1) elements of the cyclic group G₂ as elements is expressed by a linear sum of (n+1)-dimensional basis vectors b_(i)* (i=1, . . . , n+1). Therefore, the (n+1)-dimensional basis vectors b_(i)* span the vector space V*, described earlier.

The basis vectors b_(i) and the basis vectors b_(i)* satisfy the following expression for the elements τ=κ₁·κ₂ of the finite field F_(q) other than 0_(F): e(b _(i) ,b _(j)*)=g _(T) ^(τδ(i,j))  (26) The following expression is satisfied from Expressions (6), (21), (23), and (25).

$\begin{matrix} {{e\left( {b_{i},b_{j}^{*}} \right)} = {\prod\limits_{L = 1}^{n + 1}{{Pair}\left( {{\chi_{i,L} \cdot \kappa_{1} \cdot g_{1}},{\chi_{j,L}^{*} \cdot \kappa_{2} \cdot g_{2}}} \right)}}} \\ {= {{{{Pair}\left( {{\chi_{i,1} \cdot \kappa_{1} \cdot g_{1}},{\chi_{j,1}^{*} \cdot \kappa_{2} \cdot g_{2}}} \right)} \cdot \ldots \cdot \left( {{\chi_{i\;,n} \cdot \kappa_{1} \cdot g_{1}},{\chi_{j,n}^{*} \cdot \kappa_{2} \cdot g_{2}}} \right)} \times}} \\ {{Pair}\left( {{\chi_{j,{n + 1}} \cdot \kappa_{1} \cdot g_{1}},{\chi_{j,{n + 1}}^{*} \cdot \kappa_{2} \cdot g_{2}}} \right)} \\ {= {{{{Pair}\left( {g_{1},g_{2}} \right)}^{\kappa_{1} \cdot \kappa_{2} \cdot \chi_{i,1} \cdot \chi_{j,1}^{*}} \cdot \ldots \cdot {{Pair}\left( {g_{1},g_{2}} \right)}^{\kappa_{1} \cdot \kappa_{2} \cdot \chi_{i,2} \cdot \chi_{j,2}^{*}}} \times}} \\ {{{Pair}\left( {g_{1},g_{2}} \right)}^{\kappa_{1} \cdot \kappa_{2} \cdot \chi_{i,{n + 1}} \cdot \chi_{j,{n + 1}}^{*}}} \\ {= {{Pair}\left( {g_{1},g_{2}} \right)}^{\kappa_{1} \cdot {\kappa_{2}{({{\chi_{i,1} \cdot \chi_{j,1}^{*}} + {\chi_{i,2} \cdot \chi_{j,2}^{*}} + \ldots + {\chi_{i,{n + 1}} \cdot \chi_{j,{n + 1}}^{*}}})}}}} \\ {= {{Pair}\left( {g_{1},g_{2}} \right)}^{\kappa_{1} \cdot \kappa_{2} \cdot \chi_{i\;}^{\rightarrow} \cdot \chi_{j}^{\rightarrow*}}} \\ {= {{{Pair}\left( {g_{1},g_{2}} \right)}^{\tau \cdot {\delta{({i,j})}}} = g_{T}^{\tau \cdot {\delta{({i,j})}}}}} \end{matrix}$

Especially when τ=κ₁·κ₂=1_(F) (for example, κ₁=κ₂=1_(F)), the following expression is satisfied. e(b _(i) ,b _(j)*)=g _(T) ^(δ(i,j))  (27) In that case, the basis vectors b_(i) and the basis vectors b_(i)* are the dual normal orthogonal basis of a dual pairing vector space (the vector space V and the vector space V*).

As long as Expression (26) is satisfied, the basis vectors a_(i) and a_(i)* other than those shown in Expressions (9) and (10) as examples, and the basis vectors b_(i) and b_(i)* other than those shown in Expressions (22) and (24) as examples may be used.

B: An (n+1) row by (n+1) column matrix having the basis vectors b_(i) (i=1, . . . , n+1) as elements. B=X·A is satisfied. When the basis vectors b, are expressed by Expression (23), for example, the matrix B is as follows:

$\begin{matrix} \begin{matrix} {B = \begin{pmatrix} b_{1} \\ b_{2\;} \\ \vdots \\ b_{n + 1} \end{pmatrix}} \\ {= \begin{pmatrix} {\chi_{1,1} \cdot \kappa_{1} \cdot g_{1}} & {\chi_{1,2} \cdot \kappa_{1} \cdot g_{1}} & \ldots & {\chi_{1,{n + 1}} \cdot \kappa_{1} \cdot g_{1}} \\ {\chi_{2,1} \cdot \kappa_{1} \cdot g_{1}} & {\chi_{2,2} \cdot \kappa_{1} \cdot g_{1}} & \; & \vdots \\ \vdots & \; & \ddots & {\chi_{n,{n + 1}} \cdot \kappa_{1} \cdot g_{1\;}} \\ {\chi_{{n + 1},1} \cdot \kappa_{1} \cdot g_{1}} & \ldots & {\chi_{{n + 1},n} \cdot \kappa_{1} \cdot g_{1}} & {\chi_{{n + 1},{n + 1}} \cdot \kappa_{1} \cdot g_{1}} \end{pmatrix}} \end{matrix} & (28) \end{matrix}$

B*: An (n+1) row by (n+1) column matrix having the basis vectors b_(i)* (i=1, . . . , n+1) as elements. B*=X*·A* is satisfied. When the basis vectors b_(i)*(i=1, . . . , n+1) are expressed by Expression (25), for example, the matrix B* is as follows:

$\begin{matrix} \begin{matrix} {B^{*} = \begin{pmatrix} b_{1}^{*} \\ b_{2\;}^{*} \\ \vdots \\ b_{n + 1}^{*} \end{pmatrix}} \\ {= \begin{pmatrix} {\chi_{1,1}^{*} \cdot \kappa_{2} \cdot g_{2}} & {\chi_{1,2}^{*} \cdot \kappa_{2} \cdot g_{2}} & \ldots & {\chi_{1,{n + 1}}^{*} \cdot \kappa_{2} \cdot g_{2}} \\ {\chi_{2,1}^{*} \cdot \kappa_{2} \cdot g_{2}} & {\chi_{2,2}^{*} \cdot \kappa_{2} \cdot g_{2}} & \; & \vdots \\ \vdots & \; & \ddots & {\chi_{n,{n + 1}}^{*} \cdot \kappa_{2} \cdot g_{2}} \\ {\chi_{{n + 1},1}^{*} \cdot \kappa_{2} \cdot g_{2}} & \ldots & {\chi_{{n + 1},n}^{*} \cdot \kappa_{2} \cdot g_{2}} & {\chi_{{n + 1},{n + 1}}^{*} \cdot \kappa_{2} \cdot g_{2}} \end{pmatrix}} \end{matrix} & (29) \end{matrix}$

w^(→): An n-dimensional vector having elements of the finite field F_(q) as elements. w ^(→)=(w ₁ , . . . , w _(n))εF _(q) ^(n)  (30)

w_(μ): The μ-th (t=1, . . . , n) element of the n-dimensional vector.

v^(→): An n-dimensional vector having elements of the finite field F_(q) as elements. v ^(→)=(v ₁ , . . . , v _(n))εF _(q) ^(n)  (31)

v_(μ): The μ-th (μ=1, . . . , n) element of the n-dimensional vector.

Collision-resistant function: A function h that satisfies the following condition with respect to a sufficiently larger security parameter k, or a function regarded as such. Pr[A(h)=(x,y)|h(x)=h(y)

x≠y]<ε(k)  (32)

Here, Pr[•] is the probability of the event [•]; A(h) is a probability polynomial time algorithm for calculating x and y (x≠y) that satisfy h(x)=h(y) for a function h; and ε(k) is a polynomial for the security parameter k. An example collision-resistant function is a hash function such as the cryptographic hash function disclosed in reference literature 1.

Injective function: A function by which each element belonging to a value range is expressed as the image of only one element in the definition range, or a function regarded as such.

Quasi-random function: A function belonging to a subset φ_(ζ) when a probability polynomial time algorithm cannot distinguish between the subset φ_(ζ) and its whole set Φ_(ζ), or a function regarded as such. The set Φ_(ζ) is a set of all functions that map an element of a set {0, 1}^(ζ) to an element of the set {0, 1}^(ζ). An example quasi-random function is a hash function such as that described above.

H₁: A collision-resistant function that receives two binary sequences (ω₁, ω₂)ε{0, 1}^(k)×{0, 1}* and outputs two elements (ψ₁, ψ₂)εF_(q)×F_(q) of the finite field F_(q). H ₁:{0,1}^(k)×{0,1}*→F _(q) ×F _(q)  (33)

An example of the function H₁ is a function that outputs two elements (ψ₁, ψ₂)εF_(q)×F_(q) of the finite field F_(q) in response to the connected bits ω₁∥ω₂ of input ω₁ and ω₂. This function includes calculations with a hash function such as the cryptographic hash function disclosed in reference literature 1, a binary-sequence-to-integer conversion function (octet string/integer conversion), and a binary-sequence-to-finite-field-element conversion function (octet string and integer/finite field conversion). It is preferred that the function H₁ be a quasi-random function.

H₂: A collision-resistant function that receives an element of the cyclic group G_(T) and a binary sequence (ξ, ω₂)εG_(T)×{0, 1}* and outputs one element ψεF_(q) of the finite field F_(q). H ₂ :G _(T)×{0,1}*→F _(q)  (34)

An example of the function H₂ is a function that receives an element ξεG_(T) of the cyclic group G_(T) and a binary sequence ω₂ε{0, 1}*, inputs the element ξεG_(T) of the cyclic group G_(T) to a finite-field-element-to-binary-sequence conversion function (octet string and integer/finite field conversion) disclosed in reference literature 1 to obtain a binary sequence, applies a hash function such as the cryptographic hash function disclosed in reference literature 1 to the connected bits of the obtained binary sequence and the binary sequence ω₂ε{0, 1}*, performs the binary-sequence-to-finite-field-element conversion function (octet string and integer/finite field conversion), and outputs one element ψεF_(q) of the finite field F_(q). It is preferred from a security viewpoint that the function H₂ be a quasi-random function.

R: An injective function that receives an element ξεG_(T) of the cyclic group G_(T) and outputs one binary sequence ωε{0, 1}^(k). R:G _(T)→{0,1}^(k)  (35)

An example of the injective function R is a function that receives an element ξεG_(T) of the cyclic group G_(T), performs calculations with the finite-field-element-to-binary-sequence conversion function (octet string and integer/finite field conversion) and then with a hash function such as the KDF (key derivation function) disclosed in reference literature 1, and outputs one binary sequence ωε{0, 1}^(k). From a security viewpoint, it is preferred that the function R be a collision-resistant function, and it is more preferred that the function R be a quasi-random function.

Enc: A common key encryption function that indicates encryption processing of a common key cryptosystem. Example common key cryptosystems are Camellia and AES.

Enc_(k)(M): Ciphertext obtained by encrypting plaintext M by the common key encryption function Enc with the use of a common key K.

Dec: A common key decryption function that indicates decryption processing of the common key cryptosystem.

Dec_(k)(C): A decryption result obtained by decrypting ciphertext C by the common key decryption function Dec with the use of the common key K.

Inner Product Predicate Encryption

The basic configuration of inner product predicate encryption will be described below.

Predicate Encryption

Predicate encryption (sometimes called function encryption) means that ciphertext can be decrypted when a combination of attribute information and predicate information makes a predetermined logical expression true. One of the attribute information and predicate information is embedded in the ciphertext and the other is embedded in key information. The configuration of conventional predicate encryption is, for example, disclosed in reference literature 9, Jonathan Katz, Amit Sahai and Brent Waters., “Predicate Encryption Supporting Disjunctions, Polynomial Equations, and Inner Products”, one of four papers from Eurocrypt 2008 invited by the Journal of Cryptology.

Inner Product Predicate Encryption

Inner product predicate encryption means that ciphertext can be decrypted when the inner product of attribute information and predicate information handled as vectors is zero. In inner product predicate encryption, an inner product of zero is equivalent to a logical expression of true.

Relationship Between Logical Expression and Polynomial

In inner product predicate encryption, a logical expression formed of a logical OR(s) and/or a logical AND(s) is expressed by a polynomial.

The logical OR (x=η₁)

(x=η₂) of statement 1 indicating that x is η₁ and statement 2 indicating that x is η₂ is expressed by the following polynomial. (x−η ₁)·(x−η ₂)  (36) Then, the relationships between true values and the function values of Expression (36) are shown in the following table.

TABLE 1 Statement 1 Statement 2 Logical OR Function value (x = η₁) (x = η₂) (x = η₁)

 (x = η₂) (x = η₁) · (x = η₂) True True True 0 True False True 0 False True True 0 False False False Other than 0

As understood from Table 1, when the logical OR (x=η₁)

(x=η₂) is true, the function value of Expression (36) is zero; and when the logical OR (x=η₁)

(x=η₂) is false, the function value of Expression (36) is a value other than zero. In other words, the logical OR (x=η₁)

(x=η₂) of true is equivalent to the function value of zero in Expression (36). Therefore, the logical OR can be expressed by Expression (36).

The logical AND (x=η₁)

(x=η₂) of statement 1 indicating that x is η₁ and statement 2 indicating that x is η₂ is expressed by the following polynomial τ₁·(x−η ₁)+τ₂·(x−η ₂)  (37) where τ₁ and τ₂ are random numbers. Then, the relationships between true values and the function values of Expression (37) are shown in the following table.

TABLE 2 Statement Function value 1 Statement 2 Logical AND ι₁ · (x − η₁) + ι₂ · (x − (x = η₁) (x = η₂) (x = η₁)

 (x = η₂) η₂) True True True 0 True False False Other than 0 False True False Other than 0 False False False Other than 0

As understood from Table 2, when the logical AND (x=η₁)

(x=η₂) is true, the function value of Expression (37) is zero; and when the logical AND (x=η₁)

(x=η₂) is false, the function value of Expression (37) is a value other than zero. In other words, a logical AND (x=η₁)

(x=η₂) of true is equivalent to a function value of zero in Expression (37). Therefore, the logical AND can be expressed by Expression (37).

As described above, by using Expressions (36) and (37), a logical expression formed of a logical OR(s) and/or a logical AND(s) can be expressed by a polynomial f(x). An example will be shown below. Logical expression: {(x=η ₁)

(x=η ₂)

(x=η ₃)}

(x=η ₄)

(x=η ₅) Polynomial: f(x)=τ₁ ·{(x−η ₁)·(x−η ₂)·(X−η ₃)}+τ₂·(x−=η ₄)+τ₃·(x−=η ₅)

In Expression (36), one indeterminate element x is used to express the logical OR. A plurality of indeterminate elements can also be used to express a logical OR. For example, two indeterminate elements x₀ and x₁ are used to express the logical OR (x₀=η₀)

(x₁=η₁) of statement 1 indicating that x₀ is η₀ and statement 2 indicating that x₁ is η₁ by the following polynomial. (x ₀−η₀)·(x ₁−η₁) Three or more indeterminate elements can also be used to express a logical OR by a polynomial.

In Expression (37), one indeterminate element x is used to express the logical AND. A plurality of indeterminate elements can also be used to express a logical AND. For example, the logical AND (x₀=η₀)

(x₁=η₁) of statement 1 indicating that x₀ is η₀ and statement 2 indicating that x₁ is η₁ can be expressed by the following polynomial. τ₀·(x ₀−η₀)+τ₁·(x ₁−η₁) Three or more indeterminate elements can also be used to express a logical AND by a polynomial.

A logical expression that includes a logical OR(s) and/or a logical AND(s) is expressed with H(H≧1) types of indeterminate elements x₀, . . . , x_(H-1) as the polynomial f(x₀, . . . , x_(H-1)). It is assumed that a statement for each of the indeterminate elements x₀, . . . , x_(H-1) is “x_(h) is η_(h)”, where η_(h) (h=0, . . . , H−1) is a constant determined for each statement. Then, in the polynomial f(x₀, . . . , x_(H-1)) indicating the logical expression, the statement indicating that an indeterminate element x_(h) is a constant η_(h) is expressed by the polynomial indicating the difference between the indeterminate element x_(h) and the constant η_(h); the logical OR of statements is expressed by the product of the polynomials indicating the statements; and the logical AND of statements or the logical ORs of statements is expressed by a linear OR of the polynomials indicating the statements or the logical ORs of statements. For example, five indeterminate elements x₀, . . . , x₄ are used to express a logical expression {(x ₀=η₀)

(x ₁=η₁)

(x ₂=η₂)}

(x ₃=η₃)

(x ₄=η₄) by the following polynomial f(x ₀ , . . . ,x ₄)=τ₀·{(x ₀−η₀)·(x ₁−η₁)·(x ₂−η₂)}+τ₁·(x ₃−=η₃)+τ₂·(x ₄−=η₄)

Relationship Between Polynomial and Inner Product

The polynomial f(x₀, . . . , x_(H-1)) indicating a logical expression can be expressed by the inner product of two n-dimensional vectors. More specifically, a vector having the indeterminate elements of the terms of the polynomial f(x₀, . . . , x_(H-1)) as elements, v ^(→)=(v ₁ , . . . , v _(n)) and a vector having the coefficients of the terms of the polynomial f(x₀, . . . , x_(H-1)) as elements, w ^(→)=(w ₁ , . . . , w _(n)) are used to generate the inner product thereof, f(x ₀ , . . . ,x _(H-1))=w ^(→) ·v ^(→) which is equal to the polynomial f(x₀, . . . , x_(H-1)). In other words, whether the polynomial f(x₀, . . . , x_(H-1)) indicating a logical expression is zero is equivalent to whether the inner product of the vector v^(→) having the indeterminate elements of the terms of the polynomial f(x₀, . . . , x_(H-1)) as elements and the vector w^(→) having the coefficients of the terms of the polynomial f(x₀, . . . , x_(H-1)) as elements is zero. f(x ₀ , . . . ,x _(H-1))=0←→w ^(→) ·v ^(→)=0

For example, a polynomial f(x)=θ₀·x⁰+θ₁·x+ . . . +θ_(n−1)·x^(n−1) expressed with one indeterminate element x can be expressed with two n-dimensional vectors w ^(→)=(w ₁ , . . . ,w _(n))=(θ₀, . . . ,θ_(n−1))  (39) v ^(→)=(v ₁ , . . . ,v _(n))=(x ⁰ , . . . ,x ^(n−1))  (40) by the inner product thereof. f(x)=w ^(→) ·v ^(→)  (41) In other words, whether the polynomial f(x) indicating a logical expression is zero is equivalent to whether the inner product in Expression (41) is zero. f(x)=0←→w ^(→) ·v ^(→)=0  (42)

When a vector having the indeterminate elements of the terms of the polynomial f(x₀, . . . , x_(H-1)) as elements is expressed by w ^(→)=(w ₁ , . . . , w _(n)) and a vector having the coefficients of the terms of the polynomial f(x₀, . . . , x_(H-1)) as elements is expressed by v ^(→)=(v ₁ , . . . , v _(n)) whether the polynomial f(x₀, . . . , x_(H-1)) indicating a logical expression is zero is equivalent to whether the inner product of the vector w^(→) and the vector v^(→) is zero.

For example, when the following expressions are used instead of Expressions (39) and (40), w ^(→)=(w ₁ , . . . ,w _(n))=(x ⁰ , . . . ,x ^(n−1))  (43) v ^(→)=(v ₁ , . . . ,v _(n))=(θ₀, . . . ,θ_(n−1))  (44) whether the polynomial f(x) indicating a logical expression is zero is equivalent to whether the inner product in Expression (41) is zero.

In inner product predicate encryption, one of the vectors v^(→)=(v₀, . . . , v_(n−1)) and w^(→)=(w₀, . . . , w_(n−1)) is used as attribute information and the other is used as predicate information. One of the attribute information and predicate information is embedded in ciphertext and the other is embedded in key information. For example, an n-dimensional vector (θ₀, . . . , θ_(n−1)) is used as predicate information, another n-dimensional vector (x⁰, . . . , x^(n−1)) is used as attribute information, one of the attribute information and predicate information is embedded in ciphertext, and the other is embedded in key information. It is assumed in the following description that an n-dimensional vector embedded in key information is w^(→)=(w₁, . . . , w_(n)) and another n-dimensional vector embedded in ciphertext is v^(→)=(v₁, . . . , v_(n)).

For example,

Predicate information: w^(→)=(w₁, . . . , w_(n))=(θ₀, . . . , θ_(n−1))

Attribute information: v^(→)=(v₁, . . . , v_(n))=(x⁰, . . . , x^(n−1))

Alternatively,

Predicate information: v^(→)=(v₁, . . . , v_(n))=(θ₀, . . . , θ_(n−1))

Attribute information: w^(→)=(w₁, . . . , w_(n))=(x⁰, . . . , x^(n−1))

Basic Configuration of Inner Product Predicate Encryption

An example basic configuration of a key encapsulation mechanism (KEM) using inner product predicate encryption will be described below. This configuration includes Setup(1^(k)), GenKey(MSK, w^(→)), Enc(PA, v^(→)), and Dec(SKw, C₂).

Setting up Setup(1^(k))

Input: Security parameter k

Output: Master key information MSK, public parameter PK

In an example of Setup(1^(k)), a security parameter k is used as n, and an (n+1) row by (n+1) column matrix A having (n+1)-dimensional basis vectors a_(i) (i=1, . . . , n+1) as elements, an (n+1) row by (n+1) column matrix A* having basis vectors a_(i)*(i=1, . . . , n+1) as elements, and (n+1) row by (n+1) column matrixes X and X* used for coordinate conversion are selected. Then, (n+1)-dimensional basis vectors b_(i) (i=1, . . . , n+1) are calculated through coordinate conversion by Expression (22), and (n+1)-dimensional basis vectors b_(i)* (i=1, . . . , n+1) are calculated through coordinate conversion by Expression (24). Then, an (n+1) row by (n+1) column matrix B* having the basis vectors b_(i)*(i=1, . . . , n+1) as elements is output as master key information MSK; and vector spaces V and V*, an (n+1) row by (n+1) column matrix B having the basis vectors b_(i) (i=1, . . . , n+1) as elements, the security parameter k, a finite field F_(q), an elliptic curve E, cyclic groups G₁, G₂, and G_(T), generators g₁, g₂, and g_(T), a bilinear function e, and others are output as a public parameter PK.

Key Information Generation GenKey(MSK, w^(→))

Input: Master key information MSK, vector w^(→)

Output: Key information D* corresponding to vector w^(→)

In an example of GenKey(MSK, w^(→)), an element αεF_(q) is selected from the finite field F_(q). Then, the matrix B*, which is the master key information MSK, is used to generate and output key information D* corresponding to the vector w^(→) in the following way. D*=α·(Σ_(μ=1) ^(n) w _(μ) ·b _(μ)*)+b _(n+1) *εG ₂ ^(n+1)  (45) If it is difficult to solve a discrete logarithmic problem on the cyclic group G₂, it is difficult to separate and extract the components of w_(μ)·b_(μ)* and b_(n+1)* from the key information D*.

Encryption Enc(PA, v^(→))

Input: Public parameter PK, vector v^(→)

Output: Ciphertext C₂, common key K

In an example of Enc(PA, v^(→)), a common key K and a random number υ₁, which is an element of the finite field F_(q), are generated. Then, the public parameter PK, such as the matrix B, an element υ₂ corresponding to a value that includes the common key K, in the finite field F_(q), the vector v^(→), and the random number υ₁ are used to generate ciphertext C₂ in the following way. C ₂=υ₁·(Σ_(μ=1) ^(n) v _(μ) ·b _(μ))+υ₂ ·b _(n+1) εG ₁ ^(n+1)  (46) The ciphertext C₂ and the common key K are output. An example of the common key K is g_(T) ^(τ·υ2)εG_(T), where υ2 means υ₂. An example of τ is 1_(F), as described above. If it is difficult to solve a discrete logarithmic problem on the cyclic group G₁, it is difficult to separate and extract the components of v_(μ)·b_(μ) and υ₂·b_(n+1) from the ciphertext C₂.

Decryption and Key Sharing Dec(SKw, C₂)

Input: Key information D₁* corresponding to vector w^(→), ciphertext C₂

Output: Common key K

In an example of Dec(SKw, C₂), the ciphertext C₂ and the key information D₁* are input to the bilinear function e of Expression (2). Then, from the characteristics of Expressions (3) and (26), the following is satisfied.

$\begin{matrix} \begin{matrix} {{e\left( {C_{2},D^{*}} \right)} = {e\left( {{{\upsilon_{1} \cdot \left( {\sum\limits_{\mu = 1}^{n}{v_{\mu} \cdot b_{\mu}}} \right)} + {\upsilon_{2} \cdot b_{n + 1}}},{{\alpha \cdot \left( {\sum\limits_{\mu = 1}^{n}{w_{\mu} \cdot b_{\mu}^{*}}} \right)} + b_{n + 1}^{*}}} \right)}} \\ {= {{{e\left( {{\upsilon_{1} \cdot v_{1} \cdot b_{1}},{\alpha \cdot w_{1} \cdot b_{1}^{*}}} \right)} \cdot \ldots \cdot {e\left( {{\upsilon_{1} \cdot v_{n} \cdot b_{n}},{\alpha \cdot w_{n} \cdot b_{n}^{*}}} \right)}} \times}} \\ {e\left( {{\upsilon_{2} \cdot b_{n + 1}},b_{n + 1}^{*}} \right)} \\ {= {{e\left( {b_{1},b_{1}^{*}} \right)}^{\upsilon_{1} \cdot v_{1} \cdot \alpha \cdot w_{1\;}} \cdot \ldots \cdot {e\left( {b_{n},b_{n}^{*}} \right)}^{\upsilon_{1} \cdot v_{n} \cdot \alpha \cdot w_{n}} \cdot {e\left( {b_{n + 1},b_{n + 1}^{*}} \right)}^{\upsilon_{2}}}} \\ {= {g_{T}^{\tau \cdot \upsilon_{1} \cdot v_{1} \cdot \alpha \cdot w_{1}} \cdot \ldots \cdot g_{T}^{\tau \cdot \upsilon_{1} \cdot v_{n} \cdot \alpha \cdot w_{n}} \cdot g_{T}^{\tau \cdot \upsilon_{2}}}} \\ {= {g^{\tau \cdot \upsilon_{1} \cdot \alpha \cdot v^{\rightarrow} \cdot w^{\rightarrow}} \cdot g_{T}^{\tau \cdot \upsilon_{2}}}} \end{matrix} & (47) \end{matrix}$

When the inner product w^(→)·v^(→) is zero, Expression (47) can be changed to the following.

$\begin{matrix} \begin{matrix} {{e\left( {C_{2},D^{*}} \right)} = {g_{T}^{\tau \cdot \upsilon_{1} \cdot \alpha \cdot 0} \cdot g_{T}^{\tau \cdot \upsilon_{2}}}} \\ {= g_{T}^{\tau \cdot \upsilon_{2}}} \end{matrix} & (48) \end{matrix}$

From this result, the common key K is generated and output. An example of the common key K is g_(T) ^(τ·υ2)εG_(T).

First Embodiment

An information generation apparatus and method according to a first embodiment implement hierarchical cryptography by using the predicate encryption described above. More specifically, they employ the basis b* used in the predicate encryption described above to implement information derivation expressed in general semiordered structures other than tree structures.

FIG. 1 is an example of a functional block diagram of the information generation apparatus according to the first embodiment.

Each piece of information is assigned an index v=(v₁, . . . , v_(N-1))εI=(F_(q)∪{*})^(N-1), and a set w(v)={i|v_(i)=*}corresponding to the index v is defined, where * indicates an indeterminate character. Indexes that will be described below, such as an index u and an index Y, have the same structure as the index v: u=(u₁, . . . , u_(N-1))εI=(F_(q)∪{*})^(N-1) and Y=(Y₁, . . . , Y_(N-1))εI=(F_(q)∪{*})^(N-1). When w(u)⊂w(v) and v_(i)=u_(i) (iε{1, . . . , N−1}\w(v)) for the index uεI and the index vεI, in other words, when w(u)⊂w(v) and v_(i)=u_(i) for any iε{1, . . . , N−1}\w(v), the index u≦the index v and the index v is higher information than the index u, where the symbol \ indicates the subtraction of set and, for example, A\B={2, 3} when set A={1, 2, 3} and set B={1}.

When the index v={v₁, v₂, v₃}={2, *, *} and the index u={u₁, u₂, u₃}={2, *, 4}, for example, w(v)={2, 3} and w(u)={2} and w(u)⊂w(v) is satisfied. Here, v₁=u₁=2. Therefore, the index u≦the index v and the index v is higher information than the index u

In the following description, the index Y corresponds to information generated from the basis b_(i)*, the index v corresponds to information of a derivation base, and the index u corresponds to information derived from information of the derivation base.

Information Generation

The information generation apparatus and method generate information K_(Y) corresponding to the index Y by using the basis b_(i)* in Step A1 to Step A3 in FIG. 2. The information K_(Y) includes main information k_(Y) and derivation information k_(Yj). The main information k_(Y) is used as a decryption key, for example, in predicate encryption. The derivation information k_(Yj) is used to generate information lower than the information K_(Y) corresponding to the index Y.

The information generation apparatus receives the index YεI.

A random number generator 1 generates a random number σ_(Y)εZ_(q) and a random number σ_(Yj)εZ_(q) corresponding to each element jεw(Y) of a set w(Y) (in step A1). The generated random number σ_(Y) is sent to a main information generator 2. The generated random number σ_(Yj) is sent to a derivation information generator 3. When the set w(Y)={2, 3}, for example, the random number generator 1 generates σ_(Y), σ_(Y2), and σ_(Y3).

The main information generator 2 uses the generated random number σ_(Y) to calculate main information k_(Y) that satisfies k_(Y)=σ_(Y)Σ_(iε{1, . . . , N-1}\w(Y))Y_(i)b_(i)*+b_(N)* (in step A2). The calculated main information k_(Y) is stored in a storage 4.

The derivation information generator 3 uses the generated random number σ_(Yj) to calculate derivation information k_(Yj) that satisfies k_(Yj)=σ_(Yj)Σ_(iε{1, . . . , N-1}\w(Y))Y_(i)b_(i)*+b_(j)* for each element jεw(Y) of the set w(Y) (in step A3). The calculated derivation information k_(Yj) is stored in the storage 4.

Information Derivation

The information generation apparatus and method generate information K_(u) corresponding to a lower index u from information K_(v) corresponding to an upper index v, where u≦v, in step B1 to step B3 shown in FIG. 3.

The information K_(v) corresponding to the index v includes main information k_(v) and derivation information k_(vj). The main information k_(v) is used as a decryption key, for example, in predicate encryption. The derivation information k_(vj) is used to generate information lower than the information K_(v) corresponding to the index v. For example, the index v=Y and the information K_(v)=K_(Y). The information K_(u) generated in the processing of steps B1 to B3 may be regarded as new information K_(v) to generate information K_(u′) (u′≦u) lower than the information K_(u) corresponding to the index u.

The information K_(u) corresponding to the index u includes main information k_(u) and derivation information k_(uj). The main information k_(u) is used as a decryption key, for example, in predicate encryption. The derivation information k_(uj) is used to generate information lower than the information K_(u) corresponding to the index u.

The information generation apparatus receives the index v and the index u.

It is assumed that the storage 4 has stored the information K_(v) corresponding to the index v.

The random number generator 1 generates a random number σ_(u)εZ_(q) and a random number σ_(uj)εZ_(q) corresponding to each element jεw(u) of a set w(u) (in step B1). The generated random number σ_(u) is sent to a main information deriving unit 5. The generated random number σ_(uj) is sent to a derivation information deriving unit 6.

The main information deriving unit 5 uses the main information k_(v) and the derivation information k_(vi), both of which are read from the storage 4, and the generated random number σ_(u) to calculate main information k_(u) corresponding to the index u, that satisfies k_(u)=σ_(u)Σ_(iεw(v)\w(u))u_(i)k_(vi)+k_(v) (in step B2). The calculated main information k_(u) is stored in the storage 4.

The derivation information deriving unit 6 uses the derivation information k_(vj) read from the storage 4 and the generated random number σ_(uj) to calculate derivation information k_(uj) that satisfies k_(uj)=σ_(uj)Σ_(iεw(v)\w(u))u_(i)k_(vi)+k_(vj) for each element jεw(u) of the set w(u) (in step B3). The calculated derivation information k_(uj) is stored in the storage 4.

As described above, the information K_(Y) corresponding to the index Y is generated and information corresponding to a lower index is derived from the information K_(Y). This means that, for a parent node A and a parent node B both having a common child node C, information of the common child node C can be derived from information of the parent node A and information of the common child node C can be derived from information of the parent node B.

Specific Case 1

A case will be described below in which information of each node serves as a key in predicate encryption and information of an index v³, generated from information of an index v¹ matches information of the index v³, generated from information of an index v² in terms of a key in predicate encryption. The indexes v¹, v², and v³, described below, are examples, and the same things can apply to the other indexes.

It is assumed that the index v¹={v₁, v₂, *, *}, the index v²={*, *, v₃, v₄}, and the index v³={v₁, v₂, v₃, v₄}. From the definition, v¹≧v³ and v²≧v³ and the index v¹, serving as a parent node, and the index v², serving as a parent node, have the index v³ as a common child node. In the following description, v^(i) (i=1, 2, 3) may be indicated by v^i, and the j-th element of the index v^(i) may be indicated by v^ij.

N is set to 5, and information K_(V^1) corresponding to the index v¹ and information K_(v^3)′ corresponding to the index v² are generated from N bases b₁*, b₂*, b₃*, b₄*, and b₅*. Random numbers σ_(v^1), σ_(v^13), σ_(v^14), σ_(v^2), σ_(v^23), σ_(v^24), σ_(v^3), and σ_(v^3)′ are generated by the random number generator 1.

The information K_(V^1) (main information k_(v^1) and derivation information k_(v^3) and k_(v^4)) corresponding to the index v¹ is as described below. k _(v^1)=σ_(v^1)(v ₁ b ₁ *+v ₂ b ₂*)+b _(5*) k _(v^13)=σ_(v^13)(v ₁ b ₁ *+v ₂ b ₂*)+b ₃* k _(v^14)=σ_(v^14)(v ₁ b ₁ *+v ₂ b ₂*)+b ₄*

The information K_(v^2) (main information k_(v^2) and derivation information k_(v^21) and k_(v^22)) corresponding to the index v² is as described below. k _(v^2)=σ_(v^2)(v ₃ b ₃ *+v ₄ b ₄*)+b ₅* k _(v^21)=σ_(v^23)(v ₃ b ₃ *+v ₄ b ₄*)+b ₁* k _(v^22)=σ_(v^24)(v ₃ b ₃ *+v ₄ b ₄*)+b ₂*

The main information k_(v^3) corresponding to the index v³ is derived from the information K_(v^1) corresponding to the index v¹ as described below.

$\begin{matrix} \begin{matrix} {k_{v\hat{}3} = {{\sigma_{v\hat{}3}\left( {{v_{3}k_{v\hat{}13}} + {v_{4}k_{v\hat{}1}}} \right)} + k_{v\;\hat{}1}}} \\ {= {{{\sigma\left( {}_{v\hat{}3}{\left( {{v_{3}\sigma_{v\hat{}13}} + {v_{4}\sigma_{v\hat{}14}}} \right) + \sigma_{v\hat{}1}} \right)}\left( {{v_{1}b_{1}^{*}} + {v_{2}b_{2}^{*}}} \right)} +}} \\ {{\sigma_{v\hat{}3}\left( {{v_{3}b_{3}^{*}} + {v_{4}b_{4}^{*}}} \right)} + b_{5}^{*}} \\ {= {{a\left( {{v_{1}b_{1}^{*}} + {v_{2}b_{2}^{*}}} \right)} + {b\left( {{v_{3}b_{3}^{*}} + {v_{4}b_{4}^{*}}} \right)} + b_{5}^{*}}} \end{matrix} & (A) \end{matrix}$ where a=(σ_(v^3)(v₃σ_(v^13)+v₄σ_(v^14))+σ_(v^1)) and b=σ_(v^3).

Main information k_(v^3) corresponding to the index v³ is derived from the information K_(v^2) corresponding to the index v² as described below.

$\begin{matrix} \begin{matrix} {k_{v\hat{}3} = {{\sigma_{v\hat{}3}^{\prime}\left( {{v_{1}k_{v\hat{}21}} + v_{21} + {v_{2}k_{v\hat{}22}}} \right)} + k_{v\hat{}2}}} \\ {= {{\left( {{\sigma_{v\hat{}3}^{\prime}\left( {{v_{1}\sigma_{v\hat{}23}} + {v_{4}\sigma_{v\hat{}24}}} \right)} + \sigma_{v\hat{}2}} \right)\left( {{v_{3}b_{3}^{*}} + {v_{4}b_{4}^{*}}} \right)} +}} \\ {{\sigma_{v\hat{}3}^{\prime}\left( {{v_{1}b_{1}^{*}} + {v_{2}b_{2}}} \right)} + b_{5}^{*}} \\ {= {{c\left( {{v_{1}b_{1}^{*}} + {v_{2}b_{2}^{*}}} \right)} + {d\left( {{v_{3}b_{3}^{*}} + {v_{4}b_{4}^{*}}} \right)} + b_{5}^{*}}} \end{matrix} & (B) \end{matrix}$ where c=σ_(v^3)′ and d=(σ_(v^3)′(v₁σ_(v^23)+v₄σ_(v^24))+σ_(v^2)).

The main information k_(v^3) derived from the information K_(v^1), shown in Expression (A), and the main information k_(v^3) derived from the information K_(v^2), shown in Expression (B), are not equal in value but are a same-value key in predicate encryption. More specifically, when (v₁b₁*+v₂b₂*) is regarded as the inner product of a vector (b₁*, b₂*) and a vector (v₁, v₂), the direction of the vector (v₁, v₂) with respect to the vector (b₁*, b₂*) is the same in both Expressions (A) and (B); when (v₃b₃*+v₄b₄*) is regarded as the inner product of a vector (b₃*, b₄*) and a vector (v₃, v₄), the direction of the vector (v₃, v₄) with respect to the vector (b₃*, b₄*) is the same in both Expressions (A) and (B). This means that both keys are a same-value key in predicate encryption.

Second Embodiment

FIG. 4 is an example functional block diagram of an information generation apparatus according to a second embodiment.

It is assumed that cyclic groups G and G_(T) has a prime number order q; the cyclic group G has a generator g; the cyclic group G has a pairing function e: G×G→G_(T), which makes g_(T)=e(g, g) a generator of the cyclic group G_(T); a random number a is selected from Z_(p) at random; and g, g₁=g^(a)εG, and g₂, g₃, h₁, . . . , h_(N-1)εG randomly selected from the cyclic group G are made publicly available as public keys.

Information Generation

The information generation apparatus and an information generation method generate information K_(Y) corresponding to an index Y by using the public keys in step C1 to step C4 in FIG. 5. The information K_(Y) includes first main information k_(Y), second main information g^(rY), and derivation information k_(yj). The first main information k_(Y) and the second main information g^(rY) are used, for example, as decryption keys. The derivation information k_(Yj) is used to generate information lower than the information K_(Y) corresponding to the index Y.

The information generation apparatus receives the index YεI.

A random number generator 1 generates a random number r_(Y)εZ_(q) (in step C1). The generated random number r_(Y) is sent to a first main information generator 21, a second main information generator 22, and a derivation information generator 3.

The first main information generator 21 uses the generated random number r_(Y) to calculate first main information k_(Y) that satisfies k_(Y)=g₂ ^(a)(g₃Π_(iε{1, . . . , N-1}\w(Y))h_(i) ^(Yi))^(rY) (in step C2). The calculated first main information k_(Y) is stored in a storage 4.

The second main information generator 22 uses the generated random number r_(Y) to calculate second main information g^(rY) (in step C3). The calculated second main information g^(rY) is stored in the storage 4.

The derivation information generator 3 uses the generated random number r_(Y) to calculate derivation information k_(Yj) that satisfies k_(Yj)=h_(j) ^(rY) for each element jεw(Y) of a set w(Y) (in step C4). The calculated derivation information k_(Yj) is stored in the storage 4.

Information Derivation

The information generation apparatus and method generate information K_(u) corresponding to a lower index u from information K_(v) corresponding to an upper index v, where u≦v, in step D1 to step D4 shown in FIG. 6.

The information K_(v) corresponding to the index v includes first main information k_(v), second main information g^(rv), and derivation information k_(vj). The first main information k_(v) and the second main information g^(rv) are used, for example, as decryption keys. The derivation information k_(vj) is used to generate information lower than the information K_(v) corresponding to the index v. For example, the index v=Y and the information K_(v)=K_(Y). The information K_(u) generated in the processing of steps D1 to D4 may be regarded as new information K_(v) to generate information K_(u′) (u′≦u) lower than the information K_(u) corresponding to the index u.

The information K_(u) corresponding to the index u includes first main information k_(u), second main information g^(ru), and derivation information k_(uj). The first main information k_(u) and the second main information g^(ru) are used, for example, as decryption keys. The derivation information k_(uj) is used to generate information lower than the information K_(u) corresponding to the index u.

The information generation apparatus receives the index v and the index u.

It is assumed that the storage 4 has stored the information K_(v) corresponding to the index v.

The random number generator 1 generates a random number r_(u) (in step D1). The generated random number is sent to a first main information deriving unit 51, a second main information deriving unit 52, and a derivation information deriving unit 6.

The first main information deriving unit 51 uses the first main information k_(v) and the derivation information k_(vi), both of which are read from the storage 4, and the generated random number r_(u) to calculate first main information k_(u) corresponding to the index u, that satisfies k_(u)=k_(v)(Π_(iεw(v)\w(u))k_(vi) ^(ui))(g₃Π_(iε{1, . . . , N-1}\w(v))h_(i) ^(vi)Π_(iεw(v)\w(u))h_(i) ^(ui))^(ru) (in step D2). The calculated first main information k_(u) is stored in the storage 4.

The second main information deriving unit 52 uses the generated random number r_(u) to calculate second main information g^(ru) (in step D3). The calculated second main information g^(ru) is stored in the storage 4.

The derivation information deriving unit 6 uses the derivation information k_(vi) read from the storage and the generated random number r_(u) to calculate derivation information k_(uj) that satisfies k_(uj)=k_(vj)h_(j) ^(ru) for each element jεw(u) of a set w(u) (in step D4). The calculated derivation information k_(uj) is stored in the storage 4.

As described above, the information K_(Y) corresponding to the index Y is generated and information corresponding to a lower index is derived from the information K_(Y). This means that, for a parent node A and a parent node B both having a common child node C, information of the common child node C can be derived from information of the parent node A and information of the common child node C can be derived from information of the parent node B.

Specific Case 2

A case will be described below in which information of each node serves as a key in predicate encryption and information of an index v³, generated from information of an index v¹ matches information of the index v³, generated from information of an index v² in terms of a key in predicate encryption. The indexes v¹, v², and v³, described below, are examples, and the same things can apply to the other indexes.

It is assumed that the index v¹={v₁, v₂, *, *}, the index v²={*, *, v₃, v₄}, and the index v³={v₁, v₂, v₃, v₄}. From the definition, v¹≧v³ and v²≧v³ and the index v¹, serving as a parent node, and the index v², serving as a parent node, have the index v³ as a common child node. In the following description, v^(i) (i=1, 2, 3) may be indicated by v^i, and the j-th element of the index v^(i) may be indicated by v^ij.

It is assumed that N is set to 5 and g₁=g^(a), g^(a), g₃, h₁, h₂, h₃, h₄εG are made publicly available as public keys. From these public keys, information K_(v^1) corresponding to the index v¹ and information K_(v^2) corresponding to the index v² are generated. Random numbers r_(v^1) and r_(v^2) are generated by the random number generator 1.

The information K_(v^1) (first main information k_(v^1), second main information g^(rv^1), and derivation information k_(v^13) and k_(v^14)) corresponding to the index v¹ is as described below. k _(v^1) =g ₂ ^(a)(g ₃ h ₁ ^(v1) h ₂ ^(v2))^(rv^1) g ^(rv^1) k _(v^13) =h ₃ ^(rv^1) k _(v^14) =h ₄ ^(rv^1)

The information K_(v^2) (first main information k_(v^2), second derivation information g^(rv^2), and derivation information k_(v^21) and k_(v^22)) corresponding to the index v² is as described below. k _(v^2) =g ₂ ^(a)(g ₃ h ₃ ^(v3) h ₄ ^(v4))^(rv^2) g ^(rv^2) k _(v^21) =h ₁ ^(rv^2) k _(v^22) =h ₂ ^(rv^2)

First main information k_(v^3) corresponding to the index v³ is derived from the information K_(v^1) corresponding to the index v¹ as described below.

$\begin{matrix} \begin{matrix} {k_{v\hat{}3} = {{k_{v\hat{}1}\left( {k_{v\hat{}13}^{v\; 3}k_{v\hat{}14}^{v\; 4}} \right)}\left( {g_{3}h_{1}^{v\; 1}h_{2}^{v\; 2}h_{3}^{v\; 3}h_{4}^{v\; 4}} \right)^{{rv}\;\hat{}3}}} \\ {= {g_{2}^{a}\left( {g_{3}h_{1}^{v\; 1}h_{2}^{v\; 2}h_{3}^{v\; 3}h_{4}^{v\; 4}} \right)}^{r}} \end{matrix} & (C) \end{matrix}$ where r_(v^3) is a random number generated by the random number generator 1, and r=r_(v^1)+r_(v^3).

First main information k_(v^3) corresponding to the index v³ is derived from the information K_(v^2) corresponding to the index v² as described below.

$\begin{matrix} \begin{matrix} {k_{v\hat{}3} = {{k_{v\hat{}1}\left( {k_{v\hat{}13}^{v\; 3}k_{v\hat{}14}^{v\; 4}} \right)}\left( {g_{3}h_{1}^{v\; 1}h_{2}^{v\; 2}h_{3}^{v\; 3}h_{4}^{v\; 4}} \right)^{{rv}\;\hat{}3}}} \\ {= {g_{2}^{a}\left( {g_{3}h_{1}^{v\; 1}h_{2}^{v\; 2}h_{3}^{v\; 3}h_{4}^{v\; 4}} \right)}^{r}} \end{matrix} & (D) \end{matrix}$ where r_(v^3′) is a random number and r′=r_(v^2)+r_(v^3′).

The first main information k_(v^3) derived from the information K_(v^1), shown in Expression (C), and the second main information g^(rv^3), and the first main information k_(v^3) derived from the information K_(v^2), shown in Expression (D), and the second main information g^(rv^3′) are not equal in value but are a same-value key in predicate encryption because the ratios of the exponents of the public keys g₃, h₁, h₂, h₃, and h₄ are equal.

Modifications and Others

In each of the above described embodiments, the information generation apparatus includes all of the main information generator 2, the derivation information generator 3, the main information deriving unit 5, and the derivation information deriving unit 6, but the information generation apparatus needs to have at least one of them. For example, the information generation apparatus may have only the main information generator 2 and the derivation information generator 3. Alternatively, the information generation apparatus may have only the main information deriving unit 5 and the derivation information deriving unit 6, and may use the information K_(v) already generated and stored in the storage 4 to generate the information K_(u).

Each operation defined on the finite field F_(q) may be replaced with an operation defined on a finite ring Z_(q) of order q. An example of replacing each operation defined on the finite field F_(q) with an operation defined on the finite ring Z_(q) is a method of permitting q other than a prime number or a power thereof.

Each of the information generation apparatuses described above can be implemented by a computer. In that case, the processing details of the functions that should be provided by the apparatus are described in a program. When the program is executed by a computer, the processing functions of the apparatus are implemented on the computer.

The information generation program containing the processing details can be recorded in a computer-readable recording medium. The information generation apparatus is configured when the program is executed by a computer. At least a part of the processing details may be implemented by hardware.

The present invention is not limited to the above described embodiments. Any modifications are possible within the scope of the present invention. 

What is claimed is:
 1. An information generation apparatus comprising: a processor; a random number generator, implemented by the processor, adapted to generate a random number σ_(Y)εZ_(q) and a random number σ_(Yj)εZ_(q) corresponding to each element jεw(Y) of a set w(Y); a main information generator, implemented by the processor, adapted to use the generated random number σ_(Y) to calculate main information k_(Y) that satisfies k_(Y)=σ_(Y)Σ_(iε{1, . . . , N-1}\w(Y))Y_(i)b_(i)*+b_(N)*; and a derivation information generator, implemented by the processor, adapted to use the generated random number σ_(Yj) to calculate derivation information k_(Yj) that satisfies k_(Yj)=σ_(Yj)Σ_(iε{1, . . . , N-1}\w(Y))Y_(i)b_(i)*+b_(j)* for each element jεw(Y) of the set w(Y); where e is a non-degenerate, bilinear function that outputs one element of a cyclic group G_(T) in response to inputs of N elements γ_(L) (L=1, . . . , N) (N≧2) of a cyclic group G₁ and N elements γ_(L)* (L=1, . . . , N) of a cyclic group G₂; b_(i)εG₁ ^(N) (i=1, . . . , N) is an N-dimensional basis vector having N elements of the cyclic group G₁ as elements; b_(j)*εG₂ ^(N) (j=1, . . . , N) is an N-dimensional basis vector having N elements of the cyclic group G₂ as elements; a function value obtained when each element of the basis vector b_(i)εG₁ ^(N) (i=1, . . . , N) and each element of the basis vector b_(j)*εG₂ ^(N) (j=1, . . . , N) are put into the bilinear function e is represented by g_(T) ^(τ·δ(i,j))εG_(T), using a Kronecker's delta function in which δ(i, j)=1_(F) when i=j and δ(i, j)=0_(F) when i≠j; 0_(F) is an additive unit element of a finite field F_(q); 1_(F) is a multiplicative unit element of the finite field F_(q); τ is an element of the finite field F_(q), other than 0_(F); and g_(T) is a generator of the cyclic group G_(T); and * indicates an indeterminate character, an index Y is Y=(Y₁, . . . , Y_(N-1))εI=(F_(q)∪{*})^(N-1), the set w(Y) corresponds to the index Y, and w(Y)={i|Y_(i)=*}.
 2. The information generation apparatus according to claim 1, wherein the random number generator further generates a random number σ_(u)εZ_(q), the information generation apparatus comprising: a storage device adapted to store main information k_(v) corresponding to an index v and derivation information k_(vj) corresponding to the index v; and a main information deriving unit, implemented by the processor, adapted to use the main information k_(v) and derivation information k_(vi), both of which are read from the storage device, and the generated random number σ_(u) to calculate main information k_(u) corresponding to an index u, which satisfies k_(u)=σ_(u)Σ_(iεw(v)\w(u))u_(i)k_(vi)+k_(v); where * indicates an indeterminate character; the index v is v=(v₁, . . . , v_(N-1))εI=(F_(q)∪{*})^(N-1); w(v) is a set corresponding to the index v and w(v)={i|v_(i)=*}; the index u is u=(u₁, . . . , u_(N-1))εI=(F_(q)∪{*})^(N-1); w(u) is a set corresponding to the index u and w(u)={i|u_(i)=*}; w(u)⊂w(v); and v_(i)=u_(i)(iε{1, . . . , N−1}\w(v)).
 3. The information generation apparatus according to claim 2, wherein the random number generator further generates a random number σ_(uj)εZ_(q), corresponding to each element jεw(u) of the set w(u); the information generation apparatus further comprising: a derivation information deriving unit, implemented by the processor, adapted to use the derivation information k_(vj) read from the storage device and the generated random number σ_(uj) to calculate derivation information k_(uj) corresponding to the index u, which satisfies k_(uj)=σ_(uj)Σ_(iεw(v)\w(u))u_(i)k_(vi)+k_(vj), for each element jεw(u) of the set w(u).
 4. An information generation apparatus comprising: a storage device adapted to store main information k_(v) serving as main information k_(Y) or corresponding to an index v, derived from the main information k_(Y) and derivation information k_(Yj), and derivation information k_(vj) serving as the derivation information k_(Yj) or corresponding to the index v, derived from the derivation information k_(Yj); a processor; a random number generator, implemented by the processor, adapted to generate a random number σ_(u)εZ_(q); and a main information deriving unit, implemented by the processor, adapted to use the main information k_(v) and derivation information k_(vi), both of which are read from the storage unit, and the generated random number σ_(u) to calculate main information k_(u) corresponding to an index u, which satisfies k_(u)=σ_(u)Σ_(iεw(v)\w(u))u_(i)k_(vi)+k_(v); where e is a non-degenerate, bilinear function that outputs one element of a cyclic group G_(T) in response to inputs of N elements γ_(L) (L=1, . . . , N) (N≧2) of a cyclic group G₁ and N elements γ_(L)* (L=1, . . . , N) of a cyclic group G₂; b_(i)εG₁ ^(N) (i=1, . . . , N) is an N-dimensional basis vector having N elements of the cyclic group G₁ as elements; b_(j)*εG₂ ^(N) (j=1, . . . , N) is an N-dimensional basis vector having N elements of the cyclic group G₂ as elements; a function value obtained when each element of the basis vector b_(i)εG₁ ^(N) (i=1, . . . , N) and each element of the basis vector b_(j)*εG₂ ^(N) (j=1, . . . , N) are put into the bilinear function e is represented by g_(T) ^(τ·δ(i,j))εG_(T), using a Kronecker's delta function in which δ(i, j)=1_(F) when i=j and δ(i, j)=0_(F) when i≠j; 0_(F) is an additive unit element of a finite field F_(q); 1_(F) is a multiplicative unit element of the finite field F_(q); τ is an element of the finite field F_(q), other than 0_(F); and g_(T) is a generator of the cyclic group G_(T); and * indicates an indeterminate character; an index Y is Y=(Y₁, . . . , Y_(N-1))εI=(F_(q)∪{*})^(N-1); a set w(Y) corresponding to the index Y is w(Y)={i|Y_(i)=*}; σ_(Y)εZ_(q) is a random number; σ_(Yi)εZ_(q) is a random number corresponding to each element jεw(Y) of the set w(Y); the main information k_(Y) corresponds to the index Y and satisfies k_(Y)=σ_(Y)Σ_(iε{1, . . . , N-1}\w(Y))Y_(i)b_(i)*+b_(N)*; and the derivation information k_(Yi) corresponds to the index Y and satisfies k_(Yj)=σ_(Yj)Σ_(iε{1, . . . , N-1}\w(Y))Y_(i)b_(i)*b_(j)*; * indicates an indeterminate character; the index v is v=(v₁, . . . , v_(N-1))εI=(F_(q)∪{*})^(N-1); the index u is u=(u₁, . . . , u_(N-1))εI=(F_(q)∪{*})^(N-1); w(v) is a set corresponding to the index v and w(v)={i|v_(i)=*}; w(u) is a set corresponding to the index u and w(u)={i|u_(i)=*}; w(u)⊂w(v); and v_(i)=u_(i)(iε{1, . . . N−1}\w(v)).
 5. The information generation apparatus according to claim 4, wherein the random number generator further generates a random number σ_(uj)εZ_(q), corresponding to each element jεw(u) of the set w(u); the information generation apparatus further comprising: a derivation information deriving unit, implemented by the processor, adapted to use the derivation information k_(vj) read from the storage device and the generated random number σ_(uj) to calculate derivation information k_(uj) that satisfies k_(uj)=σ_(uj)Σ_(iεw(v)\w(u))u_(i)k_(vi)+k_(vj) for each element jεw(u) of the set w(u).
 6. An information generation apparatus comprising: a processor; a random number generator, implemented by the processor, adapted to generate a random number r_(Y)εZ_(q); a first main information generator, implemented by the processor, adapted to use the generated random number r_(Y) to calculate first main information k_(Y) that satisfies k_(Y)=g₂ ^(a)(g₃Π_(iε{1, . . . , N−1}\w(Y))h_(i) ^(Yi))^(rY); a second main information generator, implemented by the processor, adapted to use the generated random number r_(Y) to calculate second main information g^(rY); and a derivation information generator, implemented by the processor, adapted to use the generated random number r_(Y) to calculate derivation information k_(Yj) that satisfies k_(Yj)=h_(j) ^(rY) for each element jεw(Y) of a set w(Y); where G and G_(T) are cyclic groups having a prime number order q; g is a generator of the cyclic group G; the cyclic group G has a pairing function e: G×G→G_(T), which makes g_(T)=e(g, g) a generator of the cyclic group G_(T); a is a random number selected at random from Z_(p); and g, g₁=g^(a)εG, and g₂, g₃, h₁, . . . , h_(N-1)εG randomly selected from the cyclic group G are made publicly available as public keys; and * indicates an indeterminate character; an index Y is Y=(Y₁, . . . , Y_(N-1))εI=(F_(q)∪{*})^(N-1); the set w(Y) corresponds to the index Y; and w(Y)={i|Y_(i)=*}.
 7. The information generation apparatus according to claim 6, wherein the random number generator further generates a random number r_(u)εZ_(q), the information generation apparatus comprising: a storage device adapted to store first main information k_(v) corresponding to an index v, second main information g^(r), and derivation information k_(vj) corresponding to the index v; a first main information deriving unit, implemented by the processor, adapted to use the first main information k_(v) and derivation information k_(vi), both of which are read from the storage device, to calculate first main information corresponding to an index u, which satisfies k_(u)=k_(v)(Π_(iεw(v)\w(u))k_(vi) ^(ui))(g₃Π_(iε{1, . . . , N-1}\w(v))h_(i) ^(vi)Π_(iεw(v)\w(u))h_(i) ^(ui))^(ru); and a second main information deriving unit, implemented by the processor, adapted to use the generated random number r_(u) to calculate second main information g^(ru); where * indicates an indeterminate character; the index v is v=(v₁, . . . , v_(N-1))εI=(F_(q)∪{*})^(N-1); w(v) is a set corresponding to the index v and w(v)={i|v_(i)=*}; the index u is u=(u₁, . . . , u_(N-1))εI=(F_(q)∪{*})^(N-1); and w(u) is a set corresponding to the index u and w(u)={i|u_(i)=*}; w(u)⊂w(v); and v_(i)=u_(i) (iε{1, . . . , −1}\w(v)).
 8. The information generation apparatus according to claim 7, further comprising a derivation information deriving unit, implemented by the processor, adapted to use the derivation information k_(vi) read from the storage device and the generated random number r_(u) to calculate derivation information k_(uj) that satisfies k_(uj)=k_(vj)h_(j) ^(ru) for element jεw(u) of the set w(u).
 9. An information generation apparatus comprising: a processor; a random number generator, implemented by the processor, adapted to generate a random number r_(u)εZ_(q); a storage device adapted to store main information k_(v) serving as main information K_(Y) or corresponding to an index v, derived from first main information k_(Y) and derivation information k_(Yj), and derivation information k_(vj) serving as derivation information k_(Yj) or corresponding to the index v, derived from the derivation information k_(Yj); a first main information deriving unit, implemented by the processor, adapted to use the first main information k_(v) and derivation information k_(vi), both of which are read from the storage device, to calculate first main information k_(u) corresponding to an index u, which satisfies k_(u)=k_(v)(Π_(iεw(v)\w(u))k_(vi) ^(ui))(g₃Π_(iε{1, . . . , N-1}\w(v))h_(i) ^(vi)Π_(iεw(v)\w(u))h_(i) ^(ui))^(ru); and a second main information deriving unit, implemented by the processor, adapted to use the generated random number r_(u) to calculate second main information g^(ru); where G and G_(T) are cyclic groups having a prime number order q; g is a generator of the cyclic group G; the cyclic group G has a pairing function e: G×G→G_(T), which makes g_(T)=e(g, g) a generator of the cyclic group G_(T); a is a random number selected at random from Z_(p); and g, g₁=g^(a)εG, and g₂, g₃, h₁, . . . , h_(N-1)εG randomly selected from the cyclic group G are made publicly available as public keys; * indicates an indeterminate character; an index Y is Y=(Y₁, . . . , Y_(N-1))εI=(F_(q)∪{*})^(N-1); and a set w(Y) corresponding to the index Y is w(Y)={i|Y₁=*}; r_(Y)εZ_(q) is a random number; the first main information k_(Y) corresponds to the index Y and satisfies k_(Y)=g₂ ^(a)(g₃(Π_(iε{1, . . . , N-1}\w(v))h_(i) ^(Yi))^(rY); g^(rY) is second main information corresponding to the index Y; and the derivation information k_(Yj) corresponds to the index Y and satisfies k_(Yj)=h_(j) ^(rY); and * indicates an indeterminate character; the index v is v=(v₁, . . . , v_(N-1))εI=(F_(q)∪{*})^(N-1); w(v) is a set corresponding to the index v and w(v)={i|v_(i)=*}; the index u is u=(u₁, . . . , u_(N-1))ε=I(F_(q)∪{*})^(N-1); w(u) is a set corresponding to the index u and w(u)={i|u_(i)=*}; set w(u)⊂set w(v); and v_(i)=u_(i)(iε{1, . . . , N−1}\w(v)).
 10. The information generation apparatus according to claim 9, further comprising a derivation information deriving unit, implemented by the processor, adapted to use the derivation information k_(vi) read from the storage device and the generated random number r_(u) to calculate derivation information k_(uj) that satisfies k_(uj)=k_(vj)h_(j) ^(ru) for element jεw(u) of the set w(u).
 11. An information generation method, implemented by an information generation apparatus having a processor, comprising: generating, in a random number generator, a random number σ_(Y)εZ_(q) and a random number σ_(Yj)εZ_(q) corresponding to each element jεw(Y) of a set w(Y); using, in a main information generator, the generated random number σ_(Y) to calculate main information k_(Y) that satisfies k_(Y)=σ_(Y)Σ_(iε{1, . . . , N-1}\w(Y))Y_(i)b_(i)*+b_(N)*; and using, in a derivation information generator, the generated random number σ_(Yj) to calculate derivation information k_(Yj) that satisfies k_(Yj)=σ_(Yj)Σ_(iε{1, . . . , N-1}\w(Y))Y_(i)b_(i)*+b_(j)* for each element jεw(Y) of the set w(Y); where e is a non-degenerate, bilinear function that outputs one element of a cyclic group G_(T) in response to inputs of N elements γ_(L) (L=1, . . . , N) (N≧2) of a cyclic group G₁ and N elements γ_(L)* (L=1, . . . , N) of a cyclic group G₂; b_(i)εG₁ ^(N) (i=1, . . . , N) is an N-dimensional basis vector having N elements of the cyclic group G₁ as elements; b_(j)*εG₂ ^(N) (j=1, . . . , N) is an N-dimensional basis vector having N elements of the cyclic group G₂ as elements; a function value obtained when each element of the basis vector b_(i)εG₁ ^(N) (i=1, . . . , N) and each element of the basis vector b_(j)*εG₂ ^(N) (j=1, . . . , N) are put into the bilinear function e is represented by g_(T) ^(τ·δ(i,j))εG_(T), using a Kronecker's delta function in which δ(i, j)=1_(F) when i=j and δ(i, j)=0_(F) when i≠j; 0_(F) is an additive unit element of a finite field F_(q); 1_(F) is a multiplicative unit element of the finite field F_(q); τ is an element of the finite field F_(q), other than 0_(F); and g_(T) is a generator of the cyclic group G_(T); and * indicates an indeterminate character, an index Y is Y=(Y₁, . . . , Y_(N-1))εI=(F_(q)∪{*})^(N-1), and the set w(Y) corresponds to the index Y and w(Y)={i|Y_(i)=*}.
 12. An information generation method, implemented by an information generation apparatus having a processor, comprising: generating, in a random number generator, a random number r_(Y)εZ_(q); using, in a first main information generator, the generated random number r_(Y) to calculate first main information k_(Y) that satisfies k_(Y)=g₂ ^(a)(g₃Π_(iε{1, . . . , N-1}\w(Y))h_(i) ^(Yi))^(rY); using, in a second main information generator, the generated random number r_(Y) to calculate second main information g^(rY); and using, in a derivation information generator, the generated random number r_(Y) to calculate derivation information k_(Yj) that satisfies k_(Yj)=h_(j) ^(rY) for each element jεw(Y) of a set w(Y); where G and G_(T) are cyclic groups having a prime number order q; g is a generator of the cyclic group G; the cyclic group G has a pairing function e: G×G→G_(T), which makes g_(T)=e(g, g) a generator of the cyclic group G_(T); a is a random number selected at random from Z_(p); and g, g₁=g^(a)εG, and g₂, g₃, h₁, . . . , h_(N-1)εG randomly selected from the cyclic group G are made publicly available as public keys; and * indicates an indeterminate character; an index Y is Y=(Y₁, . . . , Y_(N-1))εI=(F_(q)∪{*})^(N-1); and the set w(Y) corresponds to the index Y and w(Y)={i|Y_(i)=*}.
 13. A non-transitory computer-readable recording medium having stored thereon an information generation program that causes a computer to function as each unit of the information generation apparatus according to any one of claims 1 to
 10. 